GM/T 0132-2023 PDF English
US$655.00 · In stock · Download in 9 secondsGM/T 0132-2023: Implementation guide for information system cryptography application Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedureStatus: Valid
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivery | Name of Chinese Standard | Status |
GM/T 0132-2023 | English | 655 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
Implementation guide for information system cryptography application
| Valid |
Excerpted PDFs (Download full copy in 9 seconds upon purchase)PDF Preview: GM/T 0132-2023
Similar standards GM/T 0011
GM/T 0132-2023: Implementation guide for information system cryptography application---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GMT0132-2023
GM
CRYPTOGRAPHY INDUSTRY STANDARD
ICS 35.030
CCS L 80
Implementation guide for information system cryptography
application
Issued on: DECEMBER 04, 2023
Implemented on: JUNE 01, 2024
Issued by. State Cryptography Administration
Table of Contents
Foreword... 4
1 Scope... 5
2 Normative references... 5
3 Terms and definitions... 5
4 Overview of implementation of information system cryptography application... 5
4.1 Roles and responsibilities... 6
4.2 Basic process... 7
5 Planning of cryptography application in information systems... 8
5.1 Workflow of the planning phase... 8
5.2 Analysis of cryptography application requirements... 9
5.2.1 Analysis of the current status of information systems... 9
5.2.2 Analysis of security risks in cryptography applications... 11
5.2.3 Determination of basic requirements for cryptography applications... 11
5.2.4 Determination of special requirements for cryptography applications... 12
5.2.5 Documentation of requirements analysis results... 13
5.3 Design of cryptography application solutions... 13
5.3.1 Overall strategy design... 13
5.3.2 Design of cryptography application technology solutions... 14
5.3.3 Design of cryptography application security management solution... 15
5.3.4 Compliance self-inspection... 15
5.3.5 Design of implementation support solution... 16
5.3.6 Documentation of design results... 17
5.4 Solution security assessment... 17
6 Construction of information system cryptography application... 19
6.1 Workflow during the construction phase... 19
6.2 Design of cryptography construction solution... 19
6.2.1 Design of the implementation content of cryptography application technical
measures... 19
6.2.2 Design of implementation content of cryptography application security management
measures... 20
6.2.3 Documentation of design results... 21
6.3 Implementation of cryptography application technical measures... 21
6.3.1 Procurement of cryptography products and services... 21
6.3.2 Integration of cryptography applications... 22
6.4 Implementation of cryptography application security management measures... 23
6.4.1 Formulation of a security management system supporting cryptography applications
... 23
6.4.2 Setting up of cryptography management positions and personnel... 23
Implementation guide for information system cryptography
application
1 Scope
This document provides process guidance and recommendations for the information
system cryptography application. It describes the implementation process and main
activities in the planning, construction, operation and termination stages.
This document is intended to guide the implementation of information system
cryptography application.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GB/T 20984, Information security technology - Risk assessment method for
information security
GB/T 39786, Information security technology - Baseline for information system
cryptography application
GM/T 0115, Testing and evaluation requirements for information system
cryptography application
GM/T 0116, Testing and evaluation process guide for information system
cryptography application
GM/Z 4001, Cryptography terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB/T 39786
and GM/Z 4001 apply.
4 Overview of implementation of information system
cryptography application
4.1 Roles and responsibilities
The various roles and responsibilities involved in the information system cryptography
application are as follows.
a) Cryptography management department
Responsible for managing cryptography work in accordance with the law.
b) Information system responsible unit
Usually including project construction units and information system operation and
use units, responsible for designing cryptography application solutions in
accordance with the management specifications and technical standards of
information system cryptography applications. Use cryptography algorithms,
cryptography technologies, cryptography products and cryptography services that
comply with national regulations and meet the basic requirements of information
system corresponding level cryptography applications to carry out information
system cryptography application construction or rectification work. Formulate
and implement various supporting security management systems for
cryptography applications. Regularly conduct self-inspections on the security
status of information system cryptography applications, the implementation of
supporting security management systems and measures for cryptography
applications. Conduct commercial cryptography application security assessments
(referred to as "security assessments") by themselves or entrust commercial
cryptography application security assessment institutions, including
cryptography application solution security assessments (referred to as "solution
security assessments") and information system security assessments (referred to
as "system security assessments"). Conduct emergency response to cryptography
application security incidents.
c) Cryptography application integration service unit
Responsible for assisting the information system responsible unit to complete the
planning, construction, operation and termination stages of information system
cryptography application (including but not limited to cryptography application
consultation, cryptography application demand analysis, cryptography
application solution design, cryptography application integrated construction or
rectification services) according to the entrustment of the information system
responsible unit and in accordance with the management specifications and
technical standards of information system cryptography application.
d) Commercial cryptography application security assessment agency
structure, major software and hardware components, major cryptography products, etc.
that may bring high-risk problems), the security requirement level of the information
system cryptography application changes, and major cryptography-related security
incidents lead to major adjustments, and the cryptography application solution needs to
be modified, it shall enter the planning stage from the operation stage, to restart the
implementation process of the information system cryptography application.
For information systems that have not developed a cryptography application solution,
regardless of whether the information system has started construction and is online, the
construction or transformation process of its cryptography application is deemed to start
from the planning stage.
The main processes, activities, inputs and outputs of each stage in the basic process of
implementing information system cryptography applications shall be in accordance
with the provisions of Annex A.
5 Planning of cryptography application in information systems
5.1 Workflow of the planning phase
The goal of the information system cryptography application planning stage is to
analyze and clarify the information system's cryptography application requirements and
design a clear cryptography application solution based on the basic information system
situation, network topology, software and hardware composition, business information,
and security requirements, in accordance with the requirements of GB/T 39786.The
workflow of the information system cryptography application planning stage is shown
in Figure 2.
Understand the overall information of the information system, including basic
conditions, network topology, carried business conditions, and software and
hardware composition.
b) Identify the management of information systems
Understand the management of information systems, including management
organizations, managers, management responsibilities, management systems, and
security strategies.
c) Identify the information assets of the information system
Investigate the information assets processed by the information system. Identify
important information resources and important data that need to be protected
according to national and industry standards for data classification and grading.
d) Determine the security requirements for the application of information system
cryptography
Determine the level of security requirements for the information system
cryptography application based on the information system's network security
protection level.
If the information system has not completed the network security level protection
classification, the security requirement level for information system cryptography
application shall be determined based on the proposed classification.
e) Comprehensive description of information system
Organize and analyze the collected information to form a description of the current
status of the information system from the following aspects.
1) Basic information of the information system;
2) Information system network topology;
3) Business conditions carried by the information system;
4) Information system hardware and software composition;
5) Information system management conditions;
6) Important information assets that need to be protected, including but not
limited to important information resources and important data;
7) Security requirement level for information system cryptography application.
Activity output. Information system overview section of the cryptography application
solution.
5.2.2 Analysis of security risks in cryptography applications
Activity objectives.
Based on the current status of information systems, analyze the cryptography
application security risks in information systems.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. general description document of the information system, classification
report of network security protection level, and analysis document of information
system assets, threats and vulnerabilities.
Activity description.
According to the corresponding level indicator requirements of GB/T 39786, analyze
the current status of the information system to see if it meets the indicator requirements
one by one. For those that do not meet the indicator requirements, analyze the security
risks they face according to GB/T 20984.
Activity output. security risk analysis of the cryptography application solution.
5.2.3 Determination of basic requirements for cryptography applications
Activity objectives.
Based on the security risk analysis of information system cryptography application, the
basic requirements for information system cryptography application are proposed.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. security risk analysis part of the cryptography application solution.
Activity description.
According to the corresponding level indicator requirements in GB/T 39786, basic
technical requirements are proposed from four technical levels. physical and
environmental security, network and communication security, equipment and
computing security, and application and data security. Determine the indicator items
that do not involve the corresponding cryptography application requirements at each
level. Propose basic requirements for cryptography application management from four
aspects. management system, personnel management, construction and operation, and
emergency response. Among them, at the network and communication security level,
special attention should be paid to the ownership of the responsible party of the
communication channels connecting different information systems, and the
cryptography application requirements of the corresponding communication channels
should be clarified. At the application and data security level, it is necessary to focus
on clarifying the authenticity protection requirements of different login methods of
information system users. Clarify the integrity or security protection requirements of
each type of important data. Clarify the non-repudiation protection requirements in the
business activities of the information system.
Activity output. basic requirements for cryptography application of the cryptography
application solution.
5.2.4 Determination of special requirements for cryptography applications
Activity objectives.
Based on the industry characteristics of information systems, special protection
requirements for critical information infrastructure and important data, special
requirements for information system cryptography application are proposed.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. security risk analysis of cryptography application solutions, and
requirements of the industry and critical information infrastructure.
Activity description.
This activity mainly includes the following sub-activities.
a) Special compliance requirements
In response to the actual security risks faced by information systems, special
compliance requirements are proposed in accordance with the laws, regulations
and requirements related to the industry, critical information infrastructure and
important data, the cryptography application requirements proposed by the
competent authorities, and the cryptography application requirements proposed
in the critical information infrastructure standards that are not included in GB/T
39786 or are higher than GB/T 39786.
b) Special requirements for protecting important information assets
In view of the actual security risks faced by important information assets in
information systems, the necessity of implementing special measures for
cryptography application is judged. Special requirements for the protection of
important information assets are proposed.
Activity output. special requirements for the cryptography application of the
cryptography application solution.
5.2.5 Documentation of requirements analysis results
Activity objectives.
Summarize the basic requirements and special requirements of cryptography
applications to form the cryptography application requirements analysis part of the
cryptography application solution.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. security risk analysis of cryptography application solution, basic
requirements part of cryptography application, and special requirements for
cryptography application.
Activity description.
Based on the security risk analysis, basic requirements for cryptography applications,
and special requirements for cryptography applications, determine the cryptography
application requirements for the information system and form a cryptography
application requirements analysis. The cryptography application requirements analysis
includes the following.
a) Security risk analysis;
b) Description of basic requirements for cryptography applications;
c) Description of special requirements for cryptography applications.
Activity output. analysis of cryptography application requirements of the cryptography
application solution.
5.3 Design of cryptography application solutions
5.3.1 Overall strategy design
Activity objectives.
Determine the overall design goals and design principles for information system
cryptography applications so as to carry out the specific design of information system
cryptography applications.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. overall security policy document of the information system responsible
unit, project establishment, construction and management documents of the information
system, system overview part and cryptography application requirements analysis part
of the cryptography application solution.
Activity description.
Based on the overall security strategy of the information system responsible unit,
combined with the actual situation of information system construction planning and
cryptography application needs, the design goals and principles of information system
cryptography application should be clarified.
Activity output. design objectives and principles of cryptography application solutions.
5.3.2 Design of cryptography application technology solutions
Activity objectives.
Based on the analysis of cryptography application needs, cryptography application
technical measures that need to be implemented in information systems are proposed to
guide the specific construction of information system cryptography application.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. the cryptography application requirements analysis of the cryptography
application solution.
Activity description.
Design a technical framework for cryptography application based on the analysis of
cryptography application requirements. Analyze cryptography protection objects at the
levels of physical and environmental security, network and communication security,
equipment and computing security, and application and data security. Design and
propose cryptography application technical measures to be adopted. Among them, at
the level of network and communication security, it is necessary to focus on designing
cryptography application technical measures for communication channels across
insecure networks. At the level of application and data security, it is necessary to focus
on different information systems and design cryptography security mechanisms for
their key business links, important business data, business objects, etc. according to
their specific security needs. Select login authentication mechanisms for users. Select
the national and industry standards for cryptography that need to be followed for the
implementation of these mechanisms.
Design the information system key management system. Focus on the types of keys at
the application and data levels and the technical implementation and protection methods
of various keys throughout their life cycle. Clarify the technical measures for
information system key management.
Determine the sharing of cryptography technology resources within the information
system and the supply capacity of cryptography products and services in the market.
Make a list of cryptography products and services required.
Determine the need for application system modification when information systems
adopt cryptography functions.
Activity output. the cryptography application technical solution of the cryptography
application solution.
5.3.3 Design of cryptography application security management solution
Activity objectives.
Based on the analysis of cryptography application needs and combined with the original
management model and management strategy, a unified cryptography application
supporting security management system is formed.
Participating roles. information system responsible unit, cryptography application
integration service unit.
Activity input. cryptography application requirements analysis and cryptography
application technical solution of the cryptography application solution.
Activity description.
Based on the analysis of information system cryptography application needs and
combined with cryptography application technical solutions, a supporting security
management system for cryptography applications should be determined.
Activity output. the cryptography application security management solution of the
cryptography application solution.
5.3.4 Compliance self-inspection
Activity objectives.
Conduct self-inspection against the corresponding level requirements of GB/T 39786
and the relevant requirements of the industry and key information infrastructure. Ensure
that the cryptography application technology solution and cryptography application
security management solution meet the requirements.
Participating roles. information system responsible unit, cryptography application
integration service unit.
...... Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Tips & Frequently Asked QuestionsQuestion 1: How long will the true-PDF of English version of GM/T 0132-2023 be delivered?Answer: The full copy PDF of English version of GM/T 0132-2023 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice. Question 2: Can I share the purchased PDF of GM/T 0132-2023_English with my colleagues?Answer: Yes. The purchased PDF of GM/T 0132-2023_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GM/T 0132-2023 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.
How to buy and download a true PDF of English version of GM/T 0132-2023?A step-by-step guide to download PDF of GM/T 0132-2023_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD). Step 2: Search keyword "GM/T 0132-2023". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9
|